What is the advantage over switched port analyzer span feature?

A port mirroring session sends a copy of packets from one switch to a port on the destination (or monitor) switch. Mirror individual ports whenever possible. Ideally, mirror ports that are directly connected to the servers that host the applications of interest. The ideal location is a core switch in a network operations or data center. However, any switch with maximum visibility into the traffic of interest is acceptable.

A port mirroring session sends a copy of packets from one switch to a port on the destination (or monitor) switch. Mirror individual ports whenever possible. Ideally, mirror ports that are directly connected to the servers that host the applications of interest. The ideal location is a core switch in a network operations or data center. However, any switch with maximum visibility into the traffic of interest is acceptable.

In a Cisco environment, port mirroring is accomplished with the Switch Port Analyzer (SPAN) feature. SPAN lets you copy traffic from physical ports on a switch to another port on that switch.

You configure port mirrors by creating a monitor session consisting of a source and destination.

A

session source

• Session number: Differentiates a monitor session from others on the switch.

• Session source: The physical ports or VLANS from which the SPAN copies data.

  • Source ports can be L2 or L3 LAN ports.

  • Trunk and non-trunk ports can be used at the same time.

• • Do not configure WAN interfaces to be source ports (such as ATM interfaces).

• • Do not configure EtherChannel ports as source ports. IOS versions 12.1(13)E and later do not permit such configuration.

• • Do not mix physical ports and VLANs as sources within the same monitor session. Configure either physical ports or VLANs.

  • When you specify the source information using a VLAN or VLAN list, the SPAN function is known as VLAN SPAN or VSPAN. Sourcing from a VLAN adds every interface in the VLAN to the monitor session.

• Session direction: The direction of the traffic you want to copy: receiving (RX), transmitting (TX), or both (the default)

A

session destination

• With release 12.1(13)E and later of Cisco IOS, you can configure the destination port to be a trunk port. This configuration lets you forward VLAN tags to the collection device. You can use the

  switchport trunk allowed

  vlan command to filter the data that leaves the destination port.

• A destination port can service only one SPAN session and cannot be an EtherChannel port.

• A monitor session can have up to 64 destination interfaces.

What are SPAN ports? 

SPAN was originally defined by Cisco as an acronym for Switch Port Analyzer. It refers to port mirroring, as used on a network switch, which sends copies of data traffic on specific ports or VLANs to network monitoring tools. These can include packet sniffers (e.g. Wireshark,) IDS (e.g. Snort), or Web analysis tools (e.g. Websense.) Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN.) Other common terms for this feature include Port Mirroring, but SPAN has become a generic industry term, regardless of switch manufacturer. Cisco also offers Remote Switched Port Analyzer (RSPAN,) allowing SPAN ports on remote switches to be brought back across the network to the SPAN port of the primary switch, to which the tool is attached. 

What are network TAPs? 

TAPs are dedicated hardware devices providing access to the data flowing on a fiber or copper link between two network devices (e.g. a switch and router, firewall and router, etc.) A basic TAP has a minimum of four ports. The two “Network ports” connect to the link endpoints and provides a non-intrusive pass-through for data traffic. The two “Monitor ports” hand off copies of the link traffic to the monitoring tools. A simple duplex TAP hands off copies of the data coming from one endpoint device out the first monitor port, and copies from the other endpoint device out the second monitor port. Variations include TAPs with the capability to merge data from both sides of the duplex link (aggregation TAPs,) the capacity to send multiple copies of the data to a variety of tools (regeneration TAPs,) and models that tap multiple links in a single unit (multi-link TAPs.) These will be discussed in detail in a future installment of this series. 

Benefits of TAPs 

The advantages of using TAPs rather than SPAN ports for monitoring tool access are myriad. Let’s examine those before assessing the benefits of SPAN ports. 

One-time setup and configuration

 The simplest TAPs need only to be physically connected to the cabling between link endpoints. More feature rich taps may require initial configuration of a management port and monitor ports, but this is typically done only once – at time of install. Once installed, it will always send data from that link to the tools of your choice SPAN ports must be configured each time you wish to change the source (ports or VLANs) sending data to the tools. In many environments, this requires a scheduled Change Control window, and in some industries (e.g. securities trading) it cannot be done during weekday business hours. 

Little to no risk of packet loss caused by high utilization 

Duplex non-aggregated TAPs pass every packet through to the Monitor Ports with zero risk of loss (aggregation TAPs may present a small risk of oversubscription.) If a SPAN port has a large volume of data being sent through it, there are two distinct risks: 

  1. Packet loss due to oversubscription – network switches prioritize real time data traffic over SPAN traffic. If a switch is heavily utilized it will drop SPAN packet copies rather than risk dropping real time data. 

  2. In some instances, initiating a SPAN session when a switch is being heavily utilized can impact performance of the switch (this is generally the case with smaller switches such as work group models, and not true of robust core switches.) 

All packets are passed to the tools 

Network troubleshooting often involves using packet sniffers to examine the number of runts, fragments, and CRC’s. SPAN ports identify these as “bad packets” and discard them. 

Deployment flexibility 

TAPs can be placed on in any link that needs to be monitored. They provide information about the specific activity on the link, rather than just showing what is coming from the switch. Also, they are not tied to the physical location of a switch. If dark fiber or extra copper runs are available, a tap can be deployed remotely in a building or on a campus, with the Monitor Port data being sent via “home run” to the location of the tool. 

Permanent point of access

In some environments there are links which may occasionally require direct visibility to be available, but there is no proven need for constant 24×7 monitoring. Installing TAPs in such links allows field personnel with portable troubleshooting equipment to connect and diagnose problems – without ever interrupting the link activity.

Security 

Although it can generally be assumed that a switch on the trusted side of a network is secure, switches in the DMZ are more vulnerable to attacks. TAPs are invisible to the network. If traffic on a specific link is hacked, the TAP still provides 100% visibility to the security tools.

Benefits of SPAN Ports

With so many evident benefits derived from using TAPs, what is the argument in favor of SPAN ports?

No cost for acquisition

SPAN ports are a feature already built into most network switches. No additional hardware cost is involved in deploying them.

Ideal for occasional reactive troubleshooting

Most networks have hundreds, or many thousands of individual physical links to workstations, servers, and a broad array of other devices that are not part of the core network’s critical infrastructure. There may also be IDF’s (Independent Data Facilities) or even satellite offices that have only a few switches. It is usually impractical to provide constant monitoring of such locations with TAPs. Problems experienced at such sites are typically an infrequent occurrence, requiring reactive troubleshooting, when such issues occur. The use of SPAN or RSPAN is often an ideal solution for these instances. 

Conclusions 

The use of TAPs does not preclude the use of SPAN ports. In many cases, users connect both TAPs and SPAN ports to Network Packet Brokers (devices that accept multiple data source inputs, which can be aggregated, replicated, and even filtered to send only specific types or sources of data to the monitoring tools.) SPAN ports are also a quick and easy way to perform diagnostics and isolate issues at location where 24×7 monitoring is not required. Field techs with a laptop running Wireshark or other troubleshooting tools can easily connect with taking links down to temporarily install a TAP.

 Network Packet brokers will be discussed in detail in a future installment of this series.  

What is the advantage of network tap over a SPAN port for network data collection?

What is the difference between a network tap and a switched port analyzer SPAN )?

What is the purpose of the SPAN port?

Why is the SPAN feature necessary on today's switches?